Several episodes discuss using a USB to run apps to capture data from dynamic sources like RAM. How would you accomplish this if mounting USB drives is disabled through Group Policy?
Unsolved Digital Forensics Investigator USB based apps
Good morning, I hope all is well. Great question !! Let's discuss two different scenarios that may help to unravel this for you.
Scenario 1: You could bypass the group policy settings if you had knowledge of the local administrators account on the device in question. This would allow you to mount a USB based device and access tools from it. Depending on the O/S in question, you would be able to either switch users, and / or log off and log back in as the local administrative user.
Scenario 2: You could access the tools in question via a network connection and as a result not have to use a USB device to introduce them to the machine, effectively bypassing the Group Policy.
While both scenarios could work, depending on circumstances and variables, both have risks associated with them. In scenario 1, you run the risk of losing information about the current user session and that may be unacceptable. In scenario 2, you run the risk of further compromising the system, and / or allowing it to compromise other systems if a connection to the network and / or the internet is allowed.
Sometimes in forensics, we have to make the best choice based on circumstances. As a result, we are not always able to operate in a way that is ideal, but rather, we operate in a way that does the least amount of harm and attempts to maximize our ability to recover information in a forensically sound manner.
I hope that helps. Please let me know if you have any further questions.
Good Luck !!